Silent, multi-layer security for your organization.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > details > spoofing

Details of Port Knocking Mechanism

Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

Once you've perused the firewall primer, learn about the details of port knocking here. Ideas about how to use port knocking in simple situations are presented, as well as an outline of how to use encryption to avoid eavesdropping.

Codes and Ciphers

Codes and Ciphers - Julius Caesar, the ENIGMA, and the Internet Robert Churchhouse

amazon | Cambridge | sample chapter


Cryptonomicon

Cryptonomicon
Neil Stephenson

www | ebook | amazon

excerpt | The orders arrive encrypted into groups of five random-looking letters, printed out on the blue tissue paper that is used for top-secret cablegrams. The message has been encrypted in Washington using a one-time pad, which is a slow and awkward but, in theory, perfectly unbreakable cipher used for the most important messages. Waterhouse knows this because he is one of the only two persons in Pearl Harbor who has clearance to decrypt it. The other one is Commander Schoen, and he is under sedation today. The duty officer opens up the appropriate safe and gives him the one-time pad for the day, which is basically a piece of graph paper covered with numbers printed in groups of five. The numbers have been chosen by secretaries in a basement in Washington by shuffling cards or drawing chits out of a hat. They are pure noise. One copy of the pure noise is in Waterhouse's hands, and the other copy is used by the person who encrypted this message in Washington.

spoofing

If a single encrypted knock is intercepted it's highly unlikely that it can be decrypted. However, if multiple knocks are intercepted it is possible that the eavesdropper can correctly guess content which is present in the knocks (such as the IP address). Having multiple encrypted knocks and the knowledge that the decrypted knocks are similar can increase the chances of the decryption being broken.

As an aside, if you're interested in a fun fiction story about cryptoanalysis try Cryptonomicon by Neal Stephenson. A very accessible book, containing some mathematical background, which introduces cryptography is Codes and Ciphers : Julius Caesar, the ENIGMA, and the Internet by Robert Churchhouse.

Ok, back to serious matters. Francisco (www.blackant.net) brought up the point of including random data in the knock sequence and a non-contiguous listening port range to try to spoof eavesdroppers. I think this idea has merit. For example, If the daemon was originally listening for knocks on ports 500-755, remap this range to, something like 450-469,480-499,510-529,... Ports 470-479,500-509,... are not monitored by the daemon. If the client knows the port range which is not monitored by the daemon, the encrypted knock sequence can be tained with any number of random port values in this range.

For example, the port knock sequence 455,485,515 is equivalent to 455,470,485,500,515,530 because the daemon only sees connections to the bold ports. Any method that tries to make the knock sequence more complicated by heuristics is likely to have less success than selecting a cryptographically strong cipher.

last updated 2004-Apr-05 17:13
Port Knocking (c) 2002-2017 Martin Krzywinski